Safestone

There will be at least one main release per year, with 3 further sub-releases, normally at the end of each quarter.

Contact your DetectIT Advisor and they will arrange this for you.

When activated, the DetectIT Network Traffic Controller will replace any currently registered exit point programs. Therefore you should check whether you have existing programs attached to the IBM exit points. Please perform the following:

1. Sign on as the ALERT profile
2. Run the command: RTVINFEXTP
3. The result of this command is generated into file MSF577 in library @MS. Please send this file to your local Safestone support team for them to analyze.

DetectIT was created to perform security related functions on the System i. Some of these tasks require the same level of authority as the OS/400 security officer, QSECOFR; therefore the high level authorities we grant to these profiles are essential.

Without *SECOFR user class level authorities, the ALERT and ALERT01 profiles will not be able to perform certain tasks, for example:

• QAUDJRN system auditing
• Profile maintenance
• Policy compliance

During installation / upgrade, both ALERT and ALERT01 are created / updated with the values USRCLS (*SECOFR) and SPCAUT (*USRCLS). This ensures these profiles have the correct level of authorities irrespective of the OS/400 release. If IBM were to add additional authorities for the QSECOFR profile, this will ensure the additional authorities are granted to the ALERT and ALERT01 profiles also.

Please note that the ALERT profile is the security officer for DetectIT, while ALERT01 is used primarily to process network activity for DetectIT.

From the DetectIT Master menu, take option 65 for the Technical Assistance Information (or option 60 from the older style menus). Alternatively run the following command “CALL MSC710I”.

For support purposes, your DetectIT Technical Engineer may need to know the latest PTF level of DetectIT. From the same program (’Technical Assistance Information’) press F10; this will show you which PTFs have been applied to your system. The latest PTF is displayed last.

“M” means message control. If the field is set to “M”, the program will replace the QINACTITV and QINACTMSGQ system values. QINACTITV will be set to “5″ and QINACTMSGQ will be set to “@MS/TIMEOUTQ”. This means OS/400 will send a message to @MS / TIMEOUTQ whenever a user’s interactive job has been idle for 5 minutes. The action taken by DetectIT will depend upon the timeout action defined against the ‘resident company’ for that user. When using DetectIT profile maintenance each profile is assigned to a DetectIT company. This company is known as the resident company.

“R” means Record control. If the field is set to “R”, the QINACTITV and QINACTMSGQ are not used or affected. Instead a system API is used to work out the time a job has been idle. Again, the action taken, by DetectIT, will depend upon the timeout action defined against the appropriate “resident company”.

The DetectIT subsystems are called ALERT and TIMPGM. In order for DetectIT to function fully, these subsystems must be started. The jobs in these subsystems perform a number of functions such as:

• Monitoring the running of DetectIT
• Watching a message queue to see if an action needs to be performed
• Connecting to the DetectIT Graphical Clients

Many of the jobs will be at a status of “MSGW”, and will only become active when required. Others will have a status of “TIMW”, specifically those waiting for external activity.

It is not recommended that you use the OS/400 command, because the DetectIT process performs some housekeeping functions too. For example the Safestone function removes redundant DetectIT jobs and updates a number of parameters. Either use the options on the main menu to End and Start the subsystems, or use the following commands:

STRALERT - to start ALERT and TIMPGM subsystems
ENDALERT - to end ALERT and TIMPGM subsystems

If the DetectIT subsystems are inactive this will not stop users performing their regular work, however it will not provide some of the security checks such as:

• Intrusion Detection alerts
• Time-Out processing
• Network distributions

We recommend that the subsystems are active at all times.

If a module key is no longer valid, users can still sign on, the administrators can still stop & start the subsystems, and the settings within the Network Traffic Controller will still be effective.

However, access is restricted to most DetectIT menu options, in particular where maintenance is concerned. The End of Day process only reports upon data relating to modules with active keys, therefore any expired module will not be audited.

Yes, you will need to use either the ENDDTISVR or ENDALERT commands to end the DetectIT servers from the TIMPGM subsystem, if you have made ‘TCP/IP Connection’ configuration changes for the ports. Once the changes have been made and the DetectIT servers have fully ended, you must restart them using the STRDTISVR or STRALERT commands.

Yes, you can use a range of IP addresses or just single IP address entries. When entering TCP/IP addresses, wildcards (*) are allowed. However, there may only be one wildcard within each “octet”. Valid entries include:

• 172.10.12.151
• 172.20.12.*
• 172.*.12.*
• *.*.12.151

Yes, you will want to make sure that the DetectIT subsystems have ended prior to any of the procedures involving ending the system or backing up of files. Use the ENDALERT command from either your own procedures, from the command line or take the appropriate option on the DetectIT Master Menu. Be sure to allow enough time for the jobs in the ALERT and TIMPGM subsystems to end controlled. Likewise, you should use the STRALERT command in your startup job that runs after an IPL or backup.

Yes, in the DetectIT Graphical modules you can print your report into Word, plain text, CSV, HTML or straight to a printer.

Follow these steps:

• Ensure you are signed on as the ALERT profile.
• On the command line, type: WRKDTITCP.
• Check whether a ‘product’ called DTIE is present.
• If it is not present, take F6 to ‘Add’.
• Enter a 1 against DTIE and press enter twice (ensure that the port number is the same as defined in the Graphical client)
• Repeat the above steps for a product called DTIERPT - the reports server
• From the command line, enter STRALERT to start the DetectIT subsystems and plus series servers. NOTE - if the DetectIT subsystems are already started they will need to be ended before the STRALERT.

The status bar, at the bottom of the window, should show the system name or IP address of the System i you are connected to. Each time a request is sent to the System i, and the PC is waiting for the response, an animated DetectIT logo is displayed. In the Networked version of the Graphical client you can verify the connection to the System i by selecting ‘Verify Connection’ from the ‘Connections’ drop down menu.

In addition, you can check whether the relevant jobs, (ALERTDS02 and ALERTDS03) are running on the System i. From a command line enter:

WRKACTJOB SBS(TIMPGM)

and check whether either of the jobs are in RUN status (at other times the status will be TIMW).

You need to enter a license key to enable the modules. If you have not received this key please contact your DetectIT supplier or Safestone Account Manager.

No, the license keys that have already been supplied will work correctly after the upgrade. To ensure that the license information is copied from one release to another please ensure that the flag ‘Transfer Data’ is set to “Y” during the DetectIT upgrade. If you choose to enter an “N” for this parameter, the license key will need re-applying manually after the upgrade completes.

Yes, the new release will automatically save your existing configuration and then update the programs as necessary.

Yes, you will need to end the DetectIT subsystems, but note there will be other critical pre-requisites for the upgrade procedure. For full instructions please refer to the sections titled “Upgrading Native Software”, “Upgrading the Graphical Software on System i” and “Installing the DetectIT Graphical Software on the PC” in the Deployment Guide.

Please refer to the Version Support page.

This is so that the DetectIT networking module can function correctly. The table of network job entries will be searched in order to determine the action to be taken for the input stream. DetectIT will ensure that the correct entries are maintained for its own requirements.

This change is ONLY necessary if you will be using the QSNADS communication methodology within the DetectIT Networking module. If this does not apply to you then please feel free to change the value back.

(This as assumes that you have the correct license for the new partition / system). It is important that the correct procedure is followed for a new install; this is because when performed incorrectly, you may see messages about serial numbers and model numbers when starting the DetectIT subsystems.

Issues sometimes arise because a client has loaded DetectIT onto a new partition by restoring from DetectIT libraries saved on another System i. This is not the method recommended by Safestone.

The only clean way to install DetectIT is from the original Safestone CDs. It is recommended you do this for all new installations.

Similarly, it is recommended that you only restore DetectIT from backups that were taken on that same system. An alternative to this is to use the DetectIT Network module which helps you to control multiple System i systems from one centralized “console” and distribute DetectIT definitions from one system to another.

If you have restored from backups made on a different system you will need to enter a permanent key and possibly an upgrade key and use the CHGSYSNAM command which will update the old database with the new system name of the System i.

NOTE: the CHGSYSNAM command is necessary if you intend to ‘re-use’ the settings from the other System i. In many of the DetectIT files the system name (e.g. SYSTEMA) is used as a major key when accessing / updating the files. Therefore after loading on SYSTEMZ from SYSTEMA’s backups you will need to perform the CHGSYSNAM command.

A (High Availability) products can produce similar key problems, if you journal the Safestone @ libraries

We could send a temporary key in advance - but that does not really duplicate a true disaster in the real world - although it would be nice if you got 2 days warning.

As an alternative you should be aware of a part of DetectIT called ‘contingency key processing’. This is intended for a disaster recovery scenario, specifically where DetectIT is loaded on a 3rd party System i, on a temporary basis.

Obviously in a DR situation, you need to get up and running as quickly as possible, therefore we provide a key within our standard documentation that you can utilize. This will give you 14 days to use DetectIT on any box, after that you would need to contact Safestone for a further temporary key.

This contingency key and the process is listed in the DetectIT native manual called ‘General Concepts Guide’ which can be found on the ‘Documentation’ CD.

You can delete the libraries before the upgrade. Libraries @APYDTI and @APYESRS can be removed safely at any time.
They are left on the system so that they are available just in case you want to install DetectIT libraries around a network of System i machines, without physically dispatching the CDs.

This message is generated because of a missing license key. It is sent when DetectIT attempts to execute a report or program for a module which is not valid.

If you believe you should have a license for this module, contact your DetectIT supplier or Safestone Account Manager as soon as possible. However if you believe you do not utilize this module you can safely remove the message by executing this command:

RVKMODUSE XXX

If you are collecting a large amount of security data and not purging it regularly, then the @MS library will grow. You can take a number of steps to control this within the Security Audit and Detection menu:

1. Ensure you are printing only the reports you need; using “Control Daily Reports Requirements”.
2. Change some of the reports, so that they print in ’summary’ format rather than ‘detail’.
3. Decide which events you don’t need to see on the reports and omit them using the “Post Filter Screening” option.
4. Reduce the amount of history kept online - review the System Maintenance screen for the number of days that DetectIT is retaining in history.
5. Review the “Set Up Auditing Details” program. Additional “retain” parameters can be altered here to reduce the size of the security repository.

On request your DetectIT Technical Engineers can also provide interrogative tools to help further analyze the collected data.

The ALERTF* jobs collect data for the DetectIT security repository, which is used to produce the End of Day reports and provide online enquiries. The 3 jobs are:

ALERTF1 - data collection from QAUDJRN and QHST
ALERTF2 - data collection for DetectIT file monitoring
ALERTF3 - data collection for Network Traffic Controller

You can specify how often these jobs run by changing the individual “Update Frequency (mins)” parameters in ‘Set Up Auditing Details’ in the Security Audit and Detection (NOTE: if you do not use this module then similar programs can be found in the Network Traffic Controller).

If you specify a value of zero for these parameters, then no update will occur during the day, i.e. no ALERTF* job will run. The only update will occur during the End of Day run just before the DetectIT daily reporting.

If you set the jobs to run at regular intervals throughout the day, only new events will be collected, i.e. those that have occurred since the last run. One consequence of this is that the End of Day process will take less time to run because most of the data it needs for reporting purposes has already been collected.

Please review the System Control Management program (option 1 on most native module menus or from the ‘System i Data’ drop down menu in DetectIT Graphical). The parameter ‘Daily Reporting Time’ should be set for a time that will not interfere with other processing on your system (for example backups or IPL, etc.).

Another item to check is that the ALERT and TIMPGM subsystems are active. They must be active in order for the End of Day reports to run within DetectIT.

To see whether previous End of Day processes ran correctly, and for how long, use the command DSPEODLOG.

Within the “Post Filter Screening” option in the Security Audit and Detection module you can define rules which will cause matching events to be omitted from the reports. You can filter using global rules (i.e. affecting all reports), or rules for each individual report. The events to be omitted can be defined by combinations of job name, user ID, message ID and program name.

Please note that these events will still exist in the security repository for online interrogation, even though they are not printed on the End of Day reports.

When the ALERT profile is delivered the profile is set to never expire, therefore a parameter must have been changed at some point. Please contact your DetectIT Technical Engineer and request the procedures for resetting ALERT.

The error you mention has been seen in the situation where the backup process locks files in the Safestone @* libraries, but another DetectIT process tries to access the same file. This is normally because the DetectIT subsystems have not been ended. Cancel the job, and ensure that DetectIT subsystems are fully ended before the backup starts.

Please check the following:

• Ensure that DetectIT release level and all current PTFs have been installed and applied on the System i that you are trying to connect to. This information is included in the Deployment Guide.
• Check that the System i that you are trying to connect to can be reached from the PC where the client is loaded - try to ping the System i using the system name/IP address that you have defined within DetectIT Graphical.
• Check that the server jobs are active, on the System i that you are trying to connect to. From a command line on the System i, type WRKACTJOB SBS(TIMPGM). The jobs ALERTDS02 and ALERTDS03 should both be active with a status of TIMW.
• Check the TCP/IP status on the System i. From a command line on the System i, type WRKTCPSTS and take option 3. Ensure that local ports 6969 and 7272 (or your selected ports if you changed the Safestone defaults) are both listening and that there is only one instance of each.
• Try increasing the timeout period (from the ‘Environment’ drop down menu take ‘Settings’). The system may be busy and could be taking a long time to respond.

Check that the relevant Graphical module libraries are installed on your System i. Library @MSE should always be present, and the following libraries should be present depending on which modules have been installed:

Security Audit and Detection - @MSEAUD
Risk and Compliance Monitor - @MSEEXM
Network Traffic Controller - @MSECS

This message suggests that the license key is not valid on the System i that you are trying to connect to.

In order to run the software, there must be version match between DetectIT loaded on the System i, and the DetectIT Graphical client. A message of this type means that at least one part of this software is out of step with the other.

A new facility was introduced in release 11 of DetectIT called “Frequency Update for Client Server logs”. This was introduced in response to the increase in log size and activity we have noticed with recent versions of OS/400. It is designed to reduce the number of locks and rebuilds we had seen on the DetectIT Network Traffic Controller log files (MSF194*).

In release 11, when events are recorded they are stored in a temporary transaction file before being updated into the permanent MSF194* files. The frequency of the data collection from temporary to permanent is controlled by a new parameter which is set to 00 on install - i.e. no update is scheduled, apart from when the EOD process runs. This allows you to tailor the parameter to your own environment.

Please note that as the temporary file has been collecting data since your last EOD the first ALERTF3 job may take longer to run than normal.

The jobs ALERTDS02 and ALERTDS03 only appear if you configure them to appear before the subsystems are started.
To configure this:

• Sign on to the green screen profile ALERT, and enter the command WRKDTITCP.
• On the resulting screen, take F6 to ADD a new TCP/IP connection.
• On the next screen select DTIE - GUI Work Server - by entering a 1 against that line. Press ENTER.
• On the next screen you are permitted to change the ports that DetectIT will use to connect to the GUI. If you do not need to do this, just press ENTER.
• Repeat steps 2-4 for the ‘product’ DTIERPT - GUI Work server.

When you have added these two details return to the DetectIT menu and restart the subsystems. The DS02 and DS03 jobs should now appear.

Please ensure that in the Graphical client the ports are consistent with the values you chose above.

For further information see the document “DetectIT Graphical Getting Started Guide” - section 2 “graphical software configuration”.

The data area MSDTA82 is used to ensure that the ‘end of day’ process (started by job ALERTPRT), is complete before performing some ‘housekeeping’ procedures. Therefore if MSDTA82 is in use it is because the ALERTPRT procedure has not yet completed. If you are trying to save the @* libraries before ‘end of day’ completes, you will get this lock message.
To rectify this:

1. Check whether the end of day procedures normally complete in a ’sensible’ amount of time. Use the DetectIT command DSPEODLOG to review the recent runs of this process. Normally we would expect this process to take from 20 to 80 minutes.
   If it has recently started to take longer, then it is likely that you are generating more information than before, and this may be lengthening the collection process. Do you need to move the ‘endofday’ process to a different start time when the system is less busy?
2. When preparing for your weekly saves it is important to check that the DetectIT subsystems have fully ended. If a critical job (such as the one with the lock on the MSDTA82 data area) cannot end, then the ENDSBS will not complete, unless you manually force the job to end. Please check the QSYSOPR messages for completion messages for ALERT and TIMPGM before progressing with the save.

The interface is available on IBM pSeries (RS/6000), Sun Solaris, Windows 2003 Server, Windows 2000 and Windows NT.

A proxy agent is an existing, working, ESM agent, which is to act as a proxy for the System i agent. When an OS/400 policy check is run from the ESM console, the ESM Manager communicates with the proxy agent to request the policy to be run. The proxy agent then contacts the System i to collect the data. Note: the ESM Manager and the proxy agent could be the same system, if you wish.

The ESM 4.5 (or above) agent software must be installed and the proxy agent registered with the ESM manager. This will allow the interface install routine to register the OS/400 policy checks. It also ensures that the OS/400 policy checks can run successfully.

Use the register command shipped with the ESM software. The following command string must be executed on the proxy agent:

register -A -x [agent] -X AS/400 -b as400 -m [manager] -U [user]
-P [password]

where:

• [agent] = name of the System i agent (use System i network attribute ‘Current system name’)
• [manager] = ESM manager
• [user] = ESM user name
• [password] = ESM user password

The register command is located in the sub-directory containing the executables for the “native” ESM agent. The defaults are:

• For Windows 2003:
  [ESM directory]\bin\w3s-ix86
• For Windows 2000:
  [ESM directory]\bin\w2k-ix86
• For Windows NT:
  [ESM directory]\bin\nt-ix86
• For Solaris:
  [ESM directory]/bin/solaris-sparc
• For AIX:
  [ESM directory]/bin/aix-rs6k

Sign on to the System i, using the ALERT profile, enter the DSPNETA command.

The OS/400 operating system was introduced to ESM in release 4.5. Therefore the proxy agent must be running ESM 4.5 (or above).

The ESM “system” sub-directory must contain a sub-directory with the name of the System i agent. The System i agent sub-directory must also contain a “tmp” sub-directory. If these do not exist, create the directories using the following commands:

mkdir [ESM directory]\system\[agent]
mkdir [ESM directory]\system\[agent]\tmp

where:
[agent] = name of the System i agent (name as used in the ‘register’ command)

The DetectIT ESM interface must know the correct TCP/IP port to communicate with OS/400. Check whether the correct port number has been defined. The port details are stored in the file DTIHosts. DTIHosts is located in the sub-directory containing the executables for the “native” ESM agent.

DTIHosts can be edited using any text file editor. For example:

• For Windows 2003:
  edit [ESM directory]\bin\w3s-ix86\DTIHosts
• For Windows 2000 :
  edit [ESM directory]\bin\w2k-ix86\DTIHosts
• For Windows NT:
  edit [ESM directory]\bin\nt-ix86\DTIHosts
• For Solaris:
  vi [ESM directory]/bin/solaris-sparc/DTIHosts
• For AIX:
  vi [ESM directory]/bin/aix-rs6k/DTIHosts

Each line in DTIHosts must contain the following entries:

• System i connection[space]TCP/IP port[space]System i name
• TCP/IP port = TCP/IP port number for communicating with System i
  This must be the same as defined on the System i through “Work with TCP/IP Connections” option.
• System i name = Name of System i agent (as shown in ESM/Manager)

Important note: Do NOT insert a space at the beginning of a line.

A DetectIT server job called ALERTDS01 must be active. This job runs in subsystem TIMPGM.

The job is started automatically as part of the DetectIT subsystem start up routine. Use the STRALERT command to start the DetectIT subsystems.

In order for the job to stay active the following conditions must be satisfied:

• The DetectIT Security Audit and Detection module must be licensed on your System i
• A TCP/IP port must be assigned to the ESM server job

This can be done as follows:

DetectIT Native
1. Signon to the System i using the ALERT profile
2. Execute the command WRKDTITCP To assign the TCP/IP port: 3. Select F6 = Add
4. Enter option “1″ against product “ESM”
5. Enter the required TCP/IP port
number (this must be the same as entered in “DTIHosts”).

To change the
TCP/IP port:
6. Enter option “2″ against product “ESM”
7. Enter the required TCP/IP port number (as entered in DTIHosts)

DetectIT Graphical
From the ‘System i Data’ drop down menu, select ‘Maintain TCP Connections’.

1. To assign the TCP/IP port:
2. Select ‘Add’
3. Highlight product “ESM” and select “Add”

To change the TCP/IP port:
4. Highlight product “ESM” and select “Edit”.

Enter the required TCP/IP port number (as entered in DTIHosts)

There are a couple of common reasons why this could be occurring. Please check the following:

• Ensure that the correct TCP/IP port number is assigned to the ESM ‘product’ on the System i
• Is there a firewall installed that may be restricting processing through the selected port number?

The interface is available on IBM pSeries (RS/6000), Sun Solaris, Windows NT and Windows 2000.

The following steps are required:

For Windows NT/2000

• Intruder Alert 3.5 agent software must be installed
• The Intruder Alert agent must be registered with the manager

For Sun Solaris and AIX

• Intruder Alert 3.0 (or above) agent software must be installed
• The Intruder Alert agent must be registered with the manager

Intruder Alert must be monitoring the agent’s system log.

(NOTE: Windows NT or Windows 2000 only) The following steps are required:

• Install Intruder Alert
• Locate the file cols_nt.cfg

Add the following entry to file cols_nt.cfg:
\application\DTIITA

(NOTE: Windows NT or Windows 2000 only) The “cols_nt.cfg” file can be found in [Intruder Alert Directory]\System\[agent name]

where [agent name] = the Intruder Alert agent name

For Windows NT/Windows 2000:
The installation of the Intruder Alert interface introduces a program to the Start Menu called ‘Port Maintenance’. This shows you which port the server is currently listening on, and provides you the option to alter that port. To add a new port number, type where the cursor is shown, and press OK. This will configure the server to listen on this port number.

For Sun Solaris & AIX:
Use the itadticfg command. This command is shipped with the interface software. The following command string must be executed on the Intruder Alert agent:

itadticfg
To change the TCP/IP port for the server job, enter the command:
itadticfg -p[port]

Where:
[port] = New TCP/IP port number

The itadticfg command is located in the sub-directory containing the executables for the DetectIT Intruder Alert interface. Namely:

Sun Solaris
[Intruder Alert directory]/bin/solaris-sparc-as400

AIX
[Intruder Alert directory]/bin/aix-rs6k-as400

For Windows NT/2000:
The interface server is started / stopped automatically whenever the machine is booted up / shut down.

For Sun Solaris:
The interface server (called itadtid) is started / stopped automatically whenever the machine is booted up / shut down.

Alternatively, the itadtirc command can be used:

• Stopping the server
  itadtirc stop
• Starting the server
  itadtirc start

For AIX:
The interface server (called itadtid) is started / stopped using the itadtirc command:

• Stopping the server
  itadtirc stop
• Starting the server
  itadtirc start

The itadtirc command is located in the sub-directory containing the executables for the DetectIT interface. Namely:

Sun Solaris
[Intruder Alert directory]/bin/solaris-sparc-as400

RS/6000
[Intruder Alert directory]/bin/aix-rs6k-as400

DetectIT sends selected messages from the Message Monitor function of the Security Audit and Detection Module to Intruder Alert. The administrator defines which events to send by assigning an “action item”, where one of the resulting actions is to send to the ‘external interface’ called Intruder Alert.

The message action item is configured against each message as follows:

NATIVE

• Sign on as ALERT
• Select “DetectIT- Security Audit and Detection Manager Menu”
• Select “Work with Message Monitor”
• Enter option 12 (Maintain MSGID Action item) against the required MSGID
• Enter “*ITA” for the “External Interface”

GRAPHICAL MODULE - ADM

• Navigate in tree structure to “Message Monitor” and ‘double click.
• Find the message ID you want to send to Intruder Alert and highlight it.
• Select “Maintain MSGID Action Item”
• Enter “*ITA” for the “External Interface” and press OK.

NOTE - there are other parameters you can also define in the action item processing, for example tailoring the message text which is to be sent to Intruder Alert . Please see the help text for further explanations.

The frequency of sending information depends upon the DetectIT settings:

• Default - once a day
  By default the information is sent once a day during the DetectIT Daily Reporting Routine
• Frequency update
  When using a “Frequency update” the information is sent at regular intervals throughout the day. This is configured in the ‘Audit Setup’ parameters - see field ‘Log Update Frequency’.

In order for DetectIT to send the information the following conditions must be satisfied:

• The DetectIT Security Audit and Detection module must have a valid license on the System i
• A TCP/IP port must be assigned to Intruder Alert
• The correct TCP/IP address of the Intruder Alert agent must be registered in DetectIT
• The DetectIT interface server must be active on the Intruder Alert agent

Intruder Alert policies must be have been created (or imported from the interface CD) to reference the System i message ID’s. The policies must also have been registered with the appropriate domain within Intruder Alert.

This is done as follows:

DetectIT Native

• Signon to the System i using the ALERT profile
• Execute the command WRKDTITCP

To assign the TCP/IP port:

• Select F6 = Add
• Enter option “1″ against product “ITA”
• Enter the required TCP/IP port number (this must be the same as entered during the interface installation or when you used the itadticfg command).

To change the TCP/IP port:

• Enter option “2″ against product “ITA”
• Enter the required TCP/IP port number.

DetectIT Graphical

From the ‘System i Data’ drop down menu, select ‘Maintain TCP Connections’.

• To assign the TCP/IP port:
• Select ‘Add’
• Highlight product “ITA” and select “Add”

To change the TCP/IP port:

• Highlight product “ITA” and select “Edit”.
• Enter the required TCP/IP port number (as entered during the interface installation or when you used the itadticfg command)

This can be achieved as follows:

Native

• Signon to the System i using the ALERT profile
• Enter the command SECEXEC MSP5966, press Enter

To assign the TCP/IP address:

• Take F6 = Add
• Input “*ITA” as the profile name
• Press Enter
• Enter the TCP/IP address for the ITA agent machine

To change the TCP/IP address:

• Enter option “2″ against profile “*ITA”
• Enter the required TCP/IP address.

Graphical

From the ‘System i Data’ drop down menu, select ‘Maintain TCP Profiles’.

To assign the TCP/IP port:

• Select ‘Add’
• Enter a product name of “*ITA”, the IP address of the ITA agent and a brief description. Press OK.

To change the TCP/IP address of the ITA agent:

• Highlight product “*ITA” and select “Edit”.
• Enter the IP address of the ITA agent and a brief description. Press OK.

The System i agents are registered in the same manner as existing ACE/Agents. To do this you must use the Administration facility on the ACE/Server. For an System i agent, the type must be specified as “UNIX”.

The “sdconf.rec” record is held as file SDCONF in library @MS. @MS is installed as part of the DetectIT installation.

The node secret is stored as file SECURID, in library @MS

The node secret is removed using the following command:

DLTF FILE(@MS/SECURID)

There are several areas which need to be checked:

The TCP/IP host name for the System i (on the System i) must:

• begin with the System i system name
• have the domain name as the suffix.

For example:
System name: SYSTEM IA
Domain name: XYZ.COM
Host name must be: SYSTEM IA.XYZ.COM

Note : If any changes are made within the TCP/IP configuration, for the System i, TCP/IP must be re-started. The System i line description may also need to be “varied off” and “varied on”.

• “Database broker” has not been started on the ACE/Server
  Please refer to the appropriate documentation for your ACE/Server
• The ACE/Server services are not started
  Please refer to the appropriate documentation for your ACE/Server

The authentication can be activated at DetectIT system level or at an individual profile level. For either level the profile must be activated within DetectIT.

• DetectIT system level
  Use the “Work with user “EXIT” points” option and update the ‘SIGNON’ exit point with “*SECURID”.
• Profile level
  Use DetectIT Profile Maintenance to ‘Activate profile’ within DetectIT

Update “Sign on” exit point with “*SECURID”

The profile details must exist within DetectIT:

• For an existing OS/400 profile
  Use command RTVPRFA to initialize DetectIT, then the WRKPRF command.
• For a new OS/400 profile
  Use WRKPRF command to add a new profile.

With both of these options change the “Activate DetectIT” flag to “Y”.